From 4043525df8ae203e9fff814d1a92bca082ec8dc0 Mon Sep 17 00:00:00 2001
From: "Wang, Fei" <fwang12@ebay.com>
Date: Wed, 7 Aug 2024 18:00:48 +0800
Subject: [PATCH] [KYUUBI #6592] Add uploadWorkDir into local dir allow list
 and do not skip check for resource uploaded use case
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# :mag: Description
## Issue References 🔗

As title, for security concern.

Before, it skips to check the local dir access for resource upload use case, which is not expected.
## Describe Your Solution 🔧

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

## Types of changes :bookmark:

- [ ] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

## Test Plan 🧪

#### Behavior Without This Pull Request :coffin:

#### Behavior With This Pull Request :tada:

#### Related Unit Tests

---

# Checklist 📝

- [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html)

**Be nice. Be informative.**

Closes #6592 from turboFei/check_batch_access.

Closes #6592

80cbc7414 [Wang, Fei] do not check if is empty
a82fe8e87 [Wang, Fei] check batch access

Authored-by: Wang, Fei <fwang12@ebay.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
(cherry picked from commit d643e35310edb1ea7837f63e6cc53eb78b6648af)
Signed-off-by: Cheng Pan <chengpan@apache.org>
---
 .../org/apache/kyuubi/engine/KyuubiApplicationManager.scala    | 3 ++-
 .../scala/org/apache/kyuubi/session/KyuubiBatchSession.scala   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
index f8b640053..a34b0f66a 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala
@@ -123,8 +123,9 @@ object KyuubiApplicationManager {
   }
 
   private[kyuubi] def checkApplicationAccessPath(path: String, conf: KyuubiConf): Unit = {
-    val localDirAllowList = conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST)
+    var localDirAllowList: Set[String] = conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST)
     if (localDirAllowList.nonEmpty) {
+      localDirAllowList ++= Set(uploadWorkDir.toUri.getPath)
       val uri =
         try {
           new URI(path)
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
index 612a546e1..0ba7c0c8d 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiBatchSession.scala
@@ -145,7 +145,7 @@ class KyuubiBatchSession(
       batchType,
       optimizedConf,
       sessionManager.getConf)
-    if (resource != SparkProcessBuilder.INTERNAL_RESOURCE && !isResourceUploaded) {
+    if (resource != SparkProcessBuilder.INTERNAL_RESOURCE) {
       KyuubiApplicationManager.checkApplicationAccessPath(resource, sessionManager.getConf)
     }
   }